Security

Last updated: May 1, 2026

Our Commitment to Security

At Glacier, we understand that our customers entrust us with sensitive ESG data. Protecting this data is fundamental to everything we do. Our security program is designed to meet the highest standards and is continuously improved.

Infrastructure & Hosting

  • Cloud-first architecture hosted on certified platforms (ISO 27001/27017/27018)
  • All data processed and stored within the European Union
  • No physical infrastructure managed by Glacier — fully managed cloud services
  • Redundant backups with defined retention policies (30 days daily, 12 months monthly)

Data Encryption

  • In Transit: TLS 1.2/1.3 for all external and client-facing traffic
  • At Rest: AES-256 encryption for all stored data
  • Password hashing with bcrypt (industry-standard cost factor)
  • Security headers enforced: CSP, X-Frame-Options, HSTS, Referrer-Policy

Access Management

  • Single Sign-On (SSO) via SAML/OIDC
  • Role-Based Access Control (RBAC) with least-privilege principles
  • Named accounts for all administrative access
  • Production access restricted to authorized engineering personnel only
  • All access logged with user ID, timestamp, and action

Secure Development Lifecycle

  • Mandatory peer code review for all changes
  • Static Application Security Testing (SAST) via CodeQL
  • Automated dependency scanning (Dependabot/Snyk)
  • Annual external penetration testing
  • Quarterly automated vulnerability scans
  • Change control tracked via Git/CI with rollback plans

Monitoring & Incident Response

  • Centralized logging and metrics with severity-based alerting
  • Defined incident severity model (P1–P4) with SLA targets
  • GDPR-compliant breach notification process (72-hour supervisory authority notification)
  • Post-incident root cause analysis with corrective actions tracked to closure
  • On-call engineering team for critical incidents

Compliance & Certifications

  • GDPR compliant with documented Technical and Organizational Measures (TOMs)
  • Security program structured following ISO/IEC 27001/27002 framework principles
  • Controls informed by OWASP, NIST, ENISA, and BSI best practices
  • Annual program reviews and continuous improvement
  • SOC 2 Type I preparation in progress

Employee Security

  • Mandatory security onboarding for all new hires
  • Annual security awareness refresher training
  • Background checks for personnel with data access
  • Clear security policies covering passwords, devices, and data handling

Vendor Management

  • Due diligence assessment for all subprocessors (security certifications, DPA/SCCs)
  • Ongoing monitoring of vendor security posture
  • Annual vendor reviews
  • Data Processing Agreements with all third-party processors

Business Continuity

  • Availability targets: 99.5–99.9% based on service level
  • Recovery Point Objective (RPO): ≤ 24 hours
  • Recovery Time Objective (RTO): ≤ 8 hours
  • Daily automated backups with defined retention schedules

Responsible Disclosure

If you discover a security vulnerability in our systems, we encourage responsible disclosure. Please report any findings to:

Email: security@glacier.eco

We commit to acknowledging reports within 48 hours and will work with you to understand and remediate valid findings. We will not pursue legal action against researchers acting in good faith.

Questions?

For security-related inquiries, please contact us at security@glacier.eco or hello@glacier.eco.

Cookie Settings

Customise your cookie preferences here. Necessary cookies cannot be disabled as they are required for the basic functions of the website.

NecessaryAlways active

These cookies are required for the basic functionality of the website. They enable core functions such as security, network management, and accessibility. They cannot be disabled.

Analytics

These cookies help us understand how visitors interact with our website. The information collected is used to improve the user experience.

Marketing

These cookies are used to provide relevant information and offers based on your interests. They enable the integration of external services such as HubSpot for contact forms and campaign analytics.